Risk Assessment Report Overview
The objective of this assignment is to develop a Risk Assessment Report for a company, government agency, or other organization (the "subject organization"). The analysis will be conducted using only publicly available information (e.g., information obtainable on the Internet (using a browser), company reports, news reports, journal articles, etc.). Your risk analysis should consider legitimate, known threats that pertain to the subject organization. Based on the information gathered, presumed vulnerabilities of the company or organizations computing and networking infrastructure will be identified. Then, based on the identified threats and vulnerabilities, you will describe the risk profile for the subject organization, including recommendations to mitigate the risks.
There is a wealth of business-oriented and technical information that can be used to infer likely vulnerabilities for an organization. It is recommended that students select their organizations based at least in part on ease of information gathering, from a public record perspective. Your instructor will provide some detailed guidance and instructions for sources for gathering some types of technical information about organizations, including technology and vendor preferences.
Steps to be Followed
A. Pick a Subject Organization: Follow these guidelines:
You may have NO connection to the company or its employees (no insider information). All the information you collect must be readily available for anyone to access. You will describe in your abstract how you intend to collect your information.
You should pick a company or organization that has sufficient publicly available information to support a reasonable risk analysis, particularly including threat and vulnerability identification.
B. Develop Subject Organization Information: Examples of relevant information includes:
Company/Organization name and location
Company/Organization management or basic organization structure
Company/Organization industry and purpose (i.e., the nature of its business)
Company/Organization profile (financial information, standing in its industry, reputation)
Identification of relevant aspects of the company/organizations computing and network infrastructure, as determined by publicly available information. Note: Do not try to access more information through Social Engineering, or through attempted cyber attacks or intrusion attempts. This is a look at how readily available information might be used from a risk management perspective.
C. Analyze Risks
For the purposes of this assignment, the class will follow the standard risk assessment methodology used within the U.S. federal government, as described in Section 3 of NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems." This is only one of many available methodologies, but students should find it both easy to understand and flexible enough to apply to differing levels of scope.
In conducting your analysis, focus on identifying threats and vulnerabilities faced by your subject organization.
Based on the threats and vulnerabilities you identify, next determine both the relative likelihood and severity of impact that would occur should each of the threats materialize. This should produce a listing of risks, at least roughly ordered by their significance to the organization.
For the risks you have identified, suggest ways that the subject organization might respond to mitigate the risk.
D. Prepare Risk Assessment Report:
Reports should be 12-15 pages, double-spaced, and should follow a structure generally corresponding to the nine-step risk assessment process described in NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems."